Change Session Settings

Oracle Identity Cloud Service session settings include the session duration, URLs for login, logout, errors, and social callback, the authentication flow for accessing Oracle Identity Cloud Service, and CORS settings.

To open this page, you must be assigned the identity domain administrator role or the security administrator role.
  1. In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Session Settings.
  2. In the Session Duration field, enter a duration in minutes.


    The Session Duration is the duration in minutes for which the user’s session is valid. The user's session will time out after the Session Duration has been reached regardless of actual user activity or inactivity.
  3. In the Login URL field, enter the URl where you want the user redirected to log in.
  4. Select the Enable Custom Login Page For The Admin Console switch to allow login-customization for the Admin Console.
  5. Enter a Logout URL.
    For example, to redirect the user to the My Profile console, enter /ui/v1/myconsole.
  6. In the Error URL field, enter the tenant specific Error page URL to which a user is redirected after an error.
    This URL is used when the Application specific Custom Error URL is not specified for an Application.
  7. In the Social Linking Callback URL field, enter the URL that Oracle Identity Cloud Service redirects to after linking a user between social providers and Oracle Identity Cloud Service is complete.
    This URL is used when the Application specific Social Linking Callback URL is not specified for an Application.
  8. (Optional) Select the Enable User Name First switch to allow the use of passwordless authentication.

    This setting changes the conventional user name and password login to user name, followed by another administrator-configured factor to log in.


    This option appears only if passwordless authentication is enabled. If this option doesn’t appear, then contact Oracle Support to enable passwordless authentication.

    If you turn on the Enable User Name First switch, then users will be shown two pages when they sign in to Oracle Identity Cloud Service. In the first page, the user provides their user name, and then clicks Sign In. Oracle Identity Cloud Service evaluates the criteria in the identity provider policies to determine which identity providers and local authentication factors (such as Email, Mobile App Notification, Mobile App Passcode, Text Message, or User Name-Password) will be available to the user to sign in to Oracle Identity Cloud Service. These identity providers and local authentication factors appear in the second page. The user uses one of the identity providers or authentication factors to access Oracle Identity Cloud Service. See Add an Identity Provider Policy to see how you can configure login options for users.

    If you turn off this switch, then in the Sign In page, the user can authenticate into Oracle Identity Cloud Service either locally, by providing their credentials (user name and password), or by using a SAML or social identity provider.

  9. (Optional) Turn on Allow Cross-Origin Resource Sharing (CORS).

    If you turn this option on, you might also want to set the Allowed CORS Domain Names option.

    If you need to configure Cloud Gate CORS settings in Oracle Identity Cloud Service, then you use the Oracle Identity Cloud Service REST API. See Configuring Cloud Gate CORS Settings in Oracle Identity Cloud Service.

  10. Leave the Show The Specific Error Message For Login Policy Violation switch on.
    This option is switched on by default and allows the system to display the specific policy-violation error-message if the login policy is violated. Although this option is less secure, but is more helpful. However, if the switch is turned off, the system displays the standard error message. This is the most secure behavior.
  11. Click Save.
An additional session setting is to set device fingerprinting, where user device attributes are processed and the fingerprint is stored in a browser cookie to uniquely identify a user's system. See Use Device Fingerprints.